François Thill, Security Director at the Ministry of the Economy, discusses the latest cybersecurity trends and shares his pieces of advice to Luxembourgish companies by depicting the main pillars of a robust cybersecurity strategy. Moreover, the expert also tells us about the future initiatives of the government in terms of IT Security.

What are the main cybersecurity trends?

Cybersecurity is still a very costly and complex domain. One of the most promising trends consists therefore in intense cross-sector as well as cross-border collaboration, especially in the area of threat and vulnerability intelligence. Collaboration leads to commonly agreed situational awareness and thus to comparable risk management and

better-informed governance decisions in an ecosystem that is per definition complex and interdependent. Due to the fact, that multiple actors share knowledge, based on a commonly agreed taxonomy, threat information is not only limited to indicators of compromise but can be aggregated into the understanding of campaigns or event identification of threat actors.

This trend of sharing relevant information will accelerate and include business workflow details of cyber criminals, like account numbers, crypto currency wallets or autonomous systems used by malicious groups.

Cybersecurity is a societal challenge. If individual entities are closely collaborating and are able to rely on their peers to provide specialized cyber security services of high quality, they contribute to a far more resilient ecosystem than if they try to handle cyber issues by themselves. Together, we can create a strong economical attractiveness factor.

A second promising trend is trust management. Traditional certification schemes, relying on the evaluation of a single security component are reformed (Common Criteria evaluations). These traditional certification schemes are not only time consuming and expensive, but also prohibitive to changes. They are inaccessible for start-ups, and create a protectionist market access control. Nowadays, security device hardware becomes a commodity, and it is the software that represents the key component. This software needs to be updated on a regular basis to correct misfits or provide new functionalities in our quickly evolving economy. Creating new certification schemes able to cope with these requirements, as well putting in place regulatory sandboxes, to identify new dynamic regulatory frameworks, represent a very interesting trend in cyber security.

What are your three main pieces of advice to companies in Luxembourg that today still haven’t added cybersecurity to their strategy?

Cybersecurity is a board issue. Impacts caused by cyber security incidents can have devastating consequences not only for the company itself but also for its contractors and customers. For this reason, I advise companies firstly to become aware of their most important business information and processes. Secondly, I would advise companies to develop a risk based governance approach, to perform regular risk assessments using real-life incident scenarios, and to implement appropriate organizational and technical measures. Thirdly, businesses must take on board their employees, since the “human factor” presents a large range of exploitable vulnerability patterns. Technical safety is important, but often overrated in its overall role. Take the example of the security devices in a car (security belt or ABS). They do provide security to a certain extent, but they are not able to protect the driver against careless driving.

What are the main components of a robust cybersecurity strategy? What are the main pillars?

In cybersecurity, collaboration is key. Therefore, a robust governmental strategy should focus on governance, cooperation and coordination and play a unifying role. Cybersecurity is a strong factor of attractiveness for our economy as it generates trust.

Setting up situational awareness and sharing existing information to build objective and comparable risk management is key to an effective and efficient governance. Once most common incident scenarios, as well as probabilities of threats, ease of exploitation of vulnerabilities and efficiency of risk treatment measures are made available, both the general public as well as the private sector will be able to create comparable risk assessments. The aggregation of these risk assessments on a regulatory level will leads to informed governance decisions and effective guidance, minimizing the usage of coercive measures. Collaborating with the government in this respect should lead to a competitive advantage rather than a regulatory burden.

A governmental strategy should also foster collaboration between public and private entities by providing the right tools and frameworks to collaborate and capitalize on synergies. It is also the government’s role to raise awareness especially at the level of citizens, SMEs and to provide them with appropriate information and services.

Finally, a governmental strategy should also focus on the creation and maintenance of a secure privately or publically owned digital infrastructure as a business enabler. Preventive, protective, incident response and repressive capabilities with adequate competences and skills must be available in an economy relying on digital services. The third governmental strategy (2018-2021) addresses all these factors in a collaborative approach.

How is the government supporting the companies located in Luxembourg when it comes to improve their defense and cybersecurity approaches?

The government of Luxembourg provides guidance in terms of behavior and organizational measures via the web sites of ANSSI, as well as BEE SECURE. It provides free diagnostic services as well as tools to share threat intel and perform risk assessments. The government provides incident response capabilities via four governmental sponsored CERTs. There are financial programs to help companies to improve their digital capabilities as well as their cybersecurity. These are provided by the Ministry of the Economy, with the support of Luxinnovation. Finally, the government provides grants in R&D activities.

Can you tell us more about the government’s future initiatives in terms of cybersecurity?

The government is transposing the third cybersecurity strategy, based on 22 objectives and 61 action items. Luxembourg government is keen to create situational awareness and to introduce an informed governance approach, with the aim to the create a risk-sharing platform in the spirit of MISP (malware information sharing platform) operated by CIRCL. The government will also create a national DDoS mitigation center under the control of the High Commissioner for National Protection. Moreover, the government will invest in cyber defense.

How can Luxembourg reinforce its position as a digital fortress in Europe?

The digital fortress of Luxembourg can only flourish if it is inclusive and business friendly. Cybersecurity is a growing factor of attractiveness as it promotes trust. Luxembourg should intensify its efforts in this respect and continue to develop and attract the necessary skills, services and infrastructures to be able to capitalize on synergies and collaboration between all the actors in order to create a resilient, modern, open and safe economy.